Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Don't allow unfiltered HTML comments from a frame. Props nacin. fixes #20812 

git-svn-id: http://core.svn.wordpress.org/trunk@20974 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2012-06-01 20:47:08 +00:00
parent 0f1f59b092
commit 01dd4131b8
2 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
wp-includes/comment-template.php
View File

@ -816,8 +816,10 @@ function wp_comment_form_unfiltered_html_nonce() {
if ( !empty($post) )
$post_id = $post->ID;
if ( current_user_can('unfiltered_html') )
wp_nonce_field('unfiltered-html-comment_' . $post_id, '_wp_unfiltered_html_comment', false);
if ( current_user_can( 'unfiltered_html' ) ) {
wp_nonce_field( 'unfiltered-html-comment_' . $post_id, '_wp_unfiltered_html_comment_disabled', false );
echo "<script>(function(){if(window===window.parent){document.getElementById('_wp_unfiltered_html_comment_disabled').name='_wp_unfiltered_html_comment';}})();</script>\n";
}
}
/**

16
wp-includes/kses.php
View File

@ -1363,10 +1363,15 @@ function wp_filter_nohtml_kses($data) {
* @uses add_filter() See description for what functions are added to what hooks.
*/
function kses_init_filters() {
// Normal filtering.
add_filter('pre_comment_content', 'wp_filter_kses');
// Normal filtering
add_filter('title_save_pre', 'wp_filter_kses');
// Comment filtering
if ( current_user_can( 'unfiltered_html' ) )
add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
else
add_filter( 'pre_comment_content', 'wp_filter_kses' );
// Post filtering
add_filter('content_save_pre', 'wp_filter_post_kses');
add_filter('excerpt_save_pre', 'wp_filter_post_kses');
@ -1386,10 +1391,13 @@ function kses_init_filters() {
* @since 2.0.6
*/
function kses_remove_filters() {
// Normal filtering.
remove_filter('pre_comment_content', 'wp_filter_kses');
// Normal filtering
remove_filter('title_save_pre', 'wp_filter_kses');
// Comment filtering
remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
remove_filter( 'pre_comment_content', 'wp_filter_kses' );
// Post filtering
remove_filter('content_save_pre', 'wp_filter_post_kses');
remove_filter('excerpt_save_pre', 'wp_filter_post_kses');